2262169 – (CVE-2024-1481) CVE-2024-1481 freeipa: specially crafted HTTP requests potentially lead to denial of service

Bug 2262169 (CVE-2024-1481) - CVE-2024-1481 freeipa: specially crafted HTTP requests potentially lead to denial of service

Summary: CVE-2024-1481 freeipa: specially crafted HTTP requests potentially lead to de...

Keywords:
Status:	NEW
Alias:	CVE-2024-1481
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2271726 (view as bug list)
Depends On:	2265129
Blocks:	2262165 2271727
TreeView+	depends on / blocked

Reported:	2024-01-31 21:51 UTC by Robb Gatica
Modified:	2024-04-30 09:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:	freeipa-4.11.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in FreeIPA. This issue may allow a remote attacker to craft a HTTP request with parameters that can be interpreted as command arguments to kinit on the FreeIPA server, which can lead to a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2147	0	None	None	None	2024-04-30 09:39:40 UTC

Description Robb Gatica 2024-01-31 21:51:33 UTC

Summary:
Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.

Tested FreeIPA version:
ipa-server-4.10.1

Details
The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.

PoC (attached screenshots):
Simple request with "user=-H&password=0000000"
With multiple parameters "user=-Vkt&password=0000000"

Impact
Possible DOS, use keytab from system and read files on DC.

Comment 10 Robb Gatica 2024-02-20 15:09:45 UTC

Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2265129]

Comment 16 TEJ RATHI 2024-03-27 07:09:03 UTC

*** Bug 2271726 has been marked as a duplicate of this bug. ***

Comment 17 errata-xmlrpc 2024-04-30 09:39:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2147 https://access.redhat.com/errata/RHSA-2024:2147

Note You need to log in before you can comment on or make changes to this bug.